After Qatar deployment, AOptix sets sights to US with privacy questions galore.

CAMPBELL, CALIFORNIA—As I stand in AOptix’ demo room, I stare down the cameras built into a plastic column, reminiscent of the public safety call boxes I remember from college. I’ve never had my iris scanned before, and I'm asked to remove my glasses first.

The column blares out at me on a small screen: LOOK HERE.

I look. A small glow of red infrared light fills part of the column above the screen, and in just a few seconds, I’m confirmed: OK.

About a minute before, I had consented to give my iris data to the company. The tower, known as InSight Duo, took a scan of my iris to set up the "known record" of me. Had this been a real-life airport security station and my iris already part of its records, InSight could scan me in a few seconds, and I could be on my way.

The company claims it can scan more accurately, more quickly (six seconds), and at a greater distance (two meters) than any of its competitors. Most conventional iris scanners have to be used at a much closer distance and be held for far longer than six seconds. If AOptix is right, the company’s InSight Duo iris scanner will become the norm in airports and border crossings around the world, changing, and hopefully improving, the way we all experience security checkpoints. However, like any new identity technology, privacy questions abound.

For now, AOptix isn’t the only one who thinks it’s on the right track. In August 2012, AOptix announced it had received an additional round of $42 million in venture capital. In a recently published white paper, entitled "The Future Passenger Experience," (PDF) the company outlines its hope for a future with its iris scanners across airports.

"In an InSight-based eGate, a traveler would pass through border control by first scanning his biometric passport on the eGate and then authenticating his biometric record with the InSight," the company writes. "Once authenticated, the eGate will open and allow the passenger to continue on to baggage claim. The whole process could take between five and ten seconds. This integration makes for a fast, hassle-free experience for the passenger, removing much of the potential aggravation associated with a manual immigration process."

Two years from now: 200 million irises annually?

While the company has struggled to gain deployment around the United States—limited so far to a handful of Department of Defense facilities—AOptix has some of its devices in London’s Gatwick airport. So far, however, its best deployment has come in Qatar. Last year, the company announced the completion of bringing its InSight Duo scanners to all Qatari air, sea, and the country’s only land border with Saudi Arabia. All travelers entering or leaving the country must have their iris recorded into an immigration database.

Dubai International Airport, one of the region’s most trafficked airports, has also been testing the scanners. They say it has reduced its immigration wait time from an average of 49 minutes to just under one minute. The company says it's targeting other airports in the region, but declined to specify which ones. (Also, in the Arabic-speaking locations, the scanners are bilingual, displaying text in Arabic and English).

"If our business goes according to plan, we'll be transacting on the order of 100 million passengers [annually] in 18 to 24 months, worldwide," Joseph Pritikin, the company's director of product marketing, told me in a recent interview at the company’s headquarters.

American airports and locations will be a bit more difficult, though, as they tend to have more government scrutiny and much more competitive bidding.

Still, if Pritikin is right, the privately held Silicon Valley company stands to make a nice chunk of change selling the scanners at $40,000 a pop. After all, the size of the global airport security market is expected to reach $2.6 billion by the end of the year, according to the industry analysis firm IHS. Beyond airports, iris scanning is also used at other high-security areas, such as police facilities, banks, data centers, and military installations. A New Jersey school even installed it back in 2006.

Pritikin argues that one of the main reasons why people find air travel so frustrating is that they have to wait in lines, primarily at airport security and immigration stations. Air travel, more than any other form of transportation, has significant bottlenecks that require identity and document verification.

"You have so many people going through these airports," he added. "There’s limited floor space. If you want to scale, automation is a great way to scale. [Airport executives are asking themselves]: ‘How do I get 10 million more passengers through this year than last year?’"

After all, who among us wouldn’t rather spend our free time in airports eating, drinking, surfing the ‘Net, and shopping—rather than standing in the immigration queue?

This is the type of image that an infrared iris scanner would capture.

Hacking an iris code

Iris scanning-based identification was first theorized way back in the 1930s, but was not made commercially available until the 1990s. The iris is particularly advantageous as a biometric. The random fluctuations established in the pattern of the iris are established in early childhood, do not change over time, and carry unique characteristics—even genetic twins have unique irises.

In addition, the iris can be scanned at a distance, unlike fingerprints which always involve physical touch. That means it can be used by cultures and people sensitive to touching a surface that others have also used. Better yet, iris scanners look for 240 distinct points of difference, as opposed to only a few dozen for fingerprints.

Today, most commercial eye scanners use an algorithm developed by John Daugman, an American mathematician who now works in the United Kingdom. The Cambridge-based physics professor also says he's been impressed with AOptix' technology and calls himself a "supporter."

"Within the field of iris recognition, I would say [AOptix] is currently the best 'at-a-distance' acquisition interface," he told Ars.

Once the image of the iris is taken, the donut-shaped image of the iris (minus the pupil) is stretched out into a rectangle. Then, the minute differences found within the grayscale image are detected and run through a cryptographic formula.

Once complete, that output is known as an "iris code," or a binary representation of the image. That code is securely kept in the corporate or government database as the established record of the person. When that person comes back to the iris scanner at a sensitive location, the new scan repeats that process, comparing the new iris code to that original. It was previously believed that an iris code could not be reverse engineered to create a synthetic iris image.

However, in July, a team of American and Spanish researchers presented a way to do just that. By taking a given iris code, they were able to reconstruct an artificial image of a fake iris that looked very similar to the real thing. That should certainly give security experts pause.

First, the breach presumes access to the iris code itself, which normally would be under strong security and strong cryptography. Second, producing a fake iris on a screen is not the same thing as a fake iris that a scanner would believe is the real thing. AOptix’ scanners, in addition to examining the iris, look for other corresponding facial features to make sure that the iris in question is actually a real face.

"It had nothing to do with a scanner," Pritikin added.

AOptix, though, as a private company, has declined to release its proprietary hardware specifications and its source code.

Privacy: I can see clearly now

Privacy experts remain concerned though. As more and more biometrics become more widespread, it is a risky proposition to use as the primary way to identify travelers. Plus, why should we, the traveling public, trust a private company to retain our iris records safely?

"Information security will be critical for the use of iris scanners," writes Woodrow Hartzog, a privacy expert and professor at the Cumberland School of Law at Samford University, in an e-mail sent to Ars.

"One of the most significant problems with biometrics is that the compromise of personal data is presumptively permanent. New passwords can always be created, but we’ve only got one set of eyeballs and fingerprints. Biometric identification systems have been compromised in the past, sometimes with relative ease. A significant enough data breach could render an entire verification system unreliable."

It’s a fair point, too. The company has no stated privacy policy anywhere on its website, nor does it explain what cryptographic standards and techniques it uses to keep the data that it does collect.

"With the use of biometric technologies becoming increasingly prevalent in the public and private sectors, AOptix is committed to encouraging awareness of privacy issues for users and deployers of biometrics, as well as adherence to protective approaches to managing personal information when such technologies are deployed," a company spokesperson wrote in an e-mail sent to Ars.

"We agree that it is important to help provide clarity and the latest information on the topic. AOptix is in fact in the process of revamping its website. As part of that process, we plan to add more information on the topic."

Still, that hasn't been good enough for many critics.

"Privacy does not exist for [AOptix]," Ann Cavoukian, information and privacy commissioner of Ontario, told BusinessWeek last month.

Beyond the security and private custody of such data, others suggest that scanning people’s eyes won’t do very much in terms of screening out ne’er-do-wells, miscreants, and criminal suspects. After all, nearly all bad guys have eyes too.

"All of these identification technologies only work if there is this master list of bad guys," writes Bruce Schneier, a well-known security expert and author, in an e-mail to Ars. "Of course, there's no such list."

Perhaps though, these criticisms miss the point of iris scanning. It may not be necessarily better than what we have already—humans examining our identity documents—but it should be a whole lot faster and cheaper. And that pre-flight hour spent at the airport now may be precisely why we could see iris scanners in our future.

Promoted Comments

I don't see how establishing someone's identity is problematic today. The problem is what they are carrying. We all need photo ID and a boarding pass, and if traveling internationally, you need a passport and possibly a visa.

The only thing this changes is that the first TSA person you come to does not have to verify you to your photo ID to your boarding pass. As incompetent as the TSA is, they at least can do that sufficiently well.

At $40,000 each, you might be able to convince me that it'll replace 2 or 3 agents at that same salary for a total savings in 3 or 4 months the first year, and free after that. Unfortunately what I now about the TSA is these agents would just be freed up to swab your coffee.